I aim to implement FMC by utilising:
1) Active Directory for creating Access Control rules based on AD Groups
2) ISE as an Identity source
I intend user's login ID should be visible in the all logs, also I do not want to use User agent as an Identity Source, I want to use ISE.
So far I configured the following:
1) Successfully added AD as a realm, and able to download Users and Groups
2) Added ISE as Identity Source, added pxGrid Server CA, MNT Server CA and FMC Server Certificates, "Test" works successfully.
I created an access policy
Source Zone / Source Destination : Any / Any
Under 'Users' tab, I select an AD group who I want to restrict access and select appropriate 'Applications' and 'URLs'.
Then I have some generic Allow / Deny rules.
1) This doesn't work. The Rule 1 is never processed, and "Default Action (Balanced Security and Connectivity)" is invoked.
2) I don't see user name in the event log either.
3) In AD Realms, though I am able to download users and groups, 'Test AD Join' says 'Test AD join Failed', could this be reason of entire failure?
4) Do I have to configure anything on ISE? I configured the following authorisation rule but I see no hits, I am not an expert on ISE and may have got this completely wrong.
I admit I may not have done everything required for this setup, and I seek help for same.
Thank you very much in advance.
Solved! Go to Solution.
Hi Marvin Thank you for your response. The auto approval is enabled an pxgrid is connected successfully.
"Connected to pxGrid ciscoise.xxxxx.net" is what I see when I go to Administration then PXGrid Services.
If the user is never triggering an Authorization rule in ISE then there will be no identity to share with the FMC. Thus I would recommend you focus on the ISE side.
Check your RADIUS live logs in ISE to see what rule is being matched and adjust your policy set accordingly until you have the desired Authorization rule match in ISE. At that point there should be endpoint context that can be shared with FMC.